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Abstract 


Much  of  the  cyber  capabilities  that  enable  mission  owners  to  function  are  outside  their 
influence  and  often  outside  their  visibility.  This  situation  exists  because  of  the  confusing  nature 
of  “cyber,”  how  the  Air  Force  has  evolved  cyber  capabilities,  significant  institutional 
disconnects,  what  a  mission  owner  wants,  and  the  nature  of  risk  management.  The  consequences 
of  these  issues  are  more  than  academic  concerns  as  they  have  contributed  to  tangible  issues 
throughout  the  Air  Force.  At  present,  it  appears  that  there  is  a  disconnect  between  the  state  of 
cyber  capabilities  from  the  perspective  of  the  user  and  that  of  key  leaders  in  positions  to  exert 
great  influence  on  the  future  of  cyber  in  the  Air  Force.  While  the  Air  Force  likely  cannot  afford 
to  meet  every  organization’s  desired  level  of  performance,  it  can  ensure  that  it  closes  the  gap 
between  actual  performance  and  the  assessed  level  of  performance — ensuring  that  programmatic 
and  operational  decisions  are  based  on  a  shared  understanding  of  reality.  Such  transparency  and 
shared  understanding  will  also  provide  additional  accountability  at  all  levels  of  cyber  operations. 
This  will  facilitate  informed  discussions  that  can  ensure  authorities  and  responsibilities  remain 
aligned  with  mission  requirements,  but  still  balanced  with  accountability  for  performance. 


“All  [Airmen]  performing  missions  need  information  to  make  the 
right  decision  -  whether  it’s  putting  bombs  on  target,  dropping 
humanitarian  aid,  uploading  a  software  patch  to  [a]  satellite, 
designing  base-level  IT  infrastructure,  or  even  prescribing  the  right 
medical  treatment.” 

Air  Force  Information  Dominance  Flight  Plan  20151 

Introduction 

A  portion  of  the  Air  Force’s  cyber  capabilities  focused  on  attacking  and  exploiting 
adversary  networks,  but  the  majority  exists  to  provide  support  to  non-cyber  functions.  The  Air 
Force  uses  information  technology  (IT)  to  enable  efficiency  and  effectiveness  for  every  mission 
area,  ranging  from  weapons  systems  to  installation  support  and  business  functions.  The  Air 
Force  tasked  24th  Air  Force  (24  AF)  with  the  operation  of  Air  Force  cyber  capabilities,  but  does 
not  have  effective  visibility  into  all  of  the  cyber  terrain  that  supports  these  mission  areas.  In 
addition,  these  mission  activities  often  have  little  insight  into  the  status  of  services  managed  or 
provided  by  24  AF  and  functional  communities.  Mission  owners  must  assume  that  the  providers 
of  a  capability  are  going  to  deliver  whenever  they  need  the  service. 

Organizations  and  missions  are  increasingly  dependent  on  cyber  resources,  but  those 
capabilities  are  subject  to  disruption,  degradation,  and  failure.2  Critical  information  required  to 
support  decisions  and  mission  owners  face  a  range  of  threats  from  adversary  action  to 
environmental  conditions.3  However,  much  of  the  cyber  capabilities  that  enable  mission  owners 
to  function  are  outside  their  influence  and  often  outside  their  visibility.  This  situation  exists 
because  of  the  confusing  nature  of  cyber,  how  the  Air  Force  has  evolved  cyber  capabilities, 
significant  institutional  disconnects,  what  a  mission  owner  wants,  and  the  nature  of  risk 
management.  The  consequences  of  these  issues  are  more  than  academic  concerns  as  they  have 
generated  tangible  consequences  throughout  the  Air  Force. 
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Much  of  the  discussion  in  this  paper  focuses  on  the  unclassified  portion  of  the  Air  Force 
Network  (AFNet),  otherwise  known  as  the  Nonsecure  Internet  Protocol  Router  Network 
(NIPRNET),  to  improve  access  to  relevant  information  and  facilitate  distribution.  Focusing  on 
NIPRNET  may  generate  concerns  that  the  discussion  focuses  excessively  on  a  primarily 
administrative  (and  therefore  less  important)  network,  where  other  networks,  like  the  SECRET 
Internet  Protocol  Router  Network  (SIPRNET),  are  more  mission  focused.  However, 
classification  concerns  and  the  general  programmatic  state  of  SIPRNET  drove  the  use  of 
NIPRNET  and  specifically  the  AFNet  as  the  primary  focus.  Regardless,  many  of  the  concepts 
discussed  are  network-agnostic,  since  the  true  mission  requirement  is  access  to  information  and 
the  ability  to  exchange  data  as  needed. 

As  cyberspace  is  not  the  exclusive  domain  of  the  cyber  operator,  this  paper  describes 
issues  that  are  the  concern  of  more  than  a  cyber  audience.  It  is  not  mere  advocacy  for  additional 
resources  against  cyber  capabilities,  nor  is  it  a  suggestion  that  the  capabilities  discussed  are 
inherently  governmental  in  nature — those  are  important  issues,  but  outside  the  scope  of  this 
paper.  It  should  inform  leaders,  mission  owners,  and  functional  communities  within  the  Air 
Force  on  issues  that  exist  within  the  Air  Force  enterprise  and  facilitate  a  discussion  on  how  to 
manage  and  invest  in  cyber  and  cyber-enabled  capabilities.  Without  common  understanding,  it  is 
difficult  to  have  consensus  on  what  capabilities  are  the  most  important  to  mission  owners,  what 
performance  levels  they  require,  and  how  to  resource  capabilities  appropriately.  The  disconnects 
outlined  in  this  paper  undercut  the  effectiveness  of  that  dialogue. 
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GENESIS  OF  CYBER  CONFUSION 


Inconsistent,  Misunderstood,  and  Evolving  Terminology 

“If  you  wish  to  converse  with  me,  define  your  terms” 

Voltaire4 

Understanding  the  term  cyber  can  be  an  exercise  in  confusion.  It  is  a  relatively  new 
addition  to  the  military  vocabulary  and  while  it  is  common  to  use  conversationally,  that  usage  is 
not  always  based  on  specific  definitions.  As  a  result,  it  finds  common  usage  in  place  of  legacy 
terms,  while  seemingly  interchangeable  with  an  array  of  other  words.  In  fact,  the  Department  of 
Defense  dictionary  does  not  have  an  entry  for  cyber  specifically,  but  a  close  look  at  the 
definitions  surrounding  cyber  reveals  a  complex  universe  of  terms  and  potential  confusion. 

While  cyber  may  not  be  a  defined  word,  it  should  be  accepted  as  a  colloquial  version  of 
cyberspace  which  the  Department  of  Defense  (DoD)  defines  as  “a  global  domain  within  the 
information  environment  consisting  of  the  interdependent  networks  of  information  technology 
infrastructures  and  resident  data,  including  the  Internet,  telecommunications  networks,  computer 
systems,  and  embedded  processors  and  controllers.”5  Based  on  this  definition,  cyber  is 
something  more  than  just  information  technology,  but  less  than  the  information  environment 
which  is  defined  as  “the  aggregate  of  individuals,  organizations,  and  systems  that  collect, 
process,  disseminate,  or  act  on  information.”6  To  expand  to  how  cyberspace  is  operated  and 
maintained,  joint  doctrine  divides  cyberspace  operations  into  offensive,  defensive,  and  DoD 
Information  Network  (DODIN)  operations.7  While  the  first  two  are  self-explanatory,  the  third 
consists  of  “operations  to  design,  build,  configure,  secure,  operate,  maintain,  and  sustain 
Department  of  Defense  networks  to  create  and  preserve  information  assurance  on  the 
Department  of  Defense  information  network.”8  This  highlighted  difference  between  networks 
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and  information  network  is  left  somewhat  unexplained,  but  DODIN  is  an  inclusive  term  that 
expands  on  technical  aspects  of  cyberspace  to  include  the  software,  services,  support  personnel, 
and  processes  for  handling  information.9  From  the  interrelation  of  these  various  terms, 
information  environment  and  information  network  appear  very  similar,  suggesting  that  networks 
are  closer  to  the  definition  of  cyberspace  or  even  information  technology.  These  definitions 
confusingly  make  cyber  both  an  inclusive  term  (e.g.,  cyberspace  operations),  but  also  exclusive 
of  anything  non-technical  (e.g.,  cyberspace). 

Guidance  to  the  DoD  on  how  to  develop  capabilities  in  and  for  cyberspace  add  additional 
insight  into  how  to  use  these  key  terms.  The  DoD  developed  its  Cyber  Strategy  to  “guide  the 
development  of  DoD’ s  cyber  forces  and  strengthen  our  cyber  defense  and  cyber  deterrence 
posture.”10  It  focuses  on  “defending  DoD  networks,  systems  and  information,”  U.S.  national 
interests,  and  providing  operational  capability  to  warfighters.11  To  relate  this  to  the  terms  and 
definitions  above,  this  suggests  that  the  DoD’s  priorities  are  on  capabilities  that  support  the 
offensive  and  defensive  elements  of  cyberspace  operations.  This  stands  in  contrast  with  the  Air 
Force’s  Information  Dominance  Flight  Plan  which  refers  to  the  “systems  and  data  of  cyberspace” 
and  uses  a  combined  “IT/cyberspace”  term,  while  also  using  the  terms  IT  and  cyberspace 
separately.12  The  document  leaves  the  impression  that  the  terms  are  potentially  interchangeable. 

In  addition  to  confusion  created  by  terminology  usage  in  doctrine  and  guidance,  the  Air 
Force  has  repeatedly  changed  the  terms  associated  with  installation-level  functions,  which  is 
where  a  significant  portion  of  Air  Force  personnel  interact  with  cyberspace.  Client  Support 
Administrator  replaced  Work  Group  Manager,  before  the  Air  Force  moved  to  the  term  Client 
Support  Technician  to  reflect  the  title  of  the  Air  Force  Specialty  Code  (AFSC)  that  provides 
first-line  troubleshooting  for  users  and  their  systems.  To  gain  efficiencies  in  supporting  calls 
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from  customers,  the  Air  Force  established  the  Enterprise  Service  Desk  which  was  a  consolidated 
call  center  that  the  Air  Force  later  disbanded — referring  the  user  back  to  their  local  installation 
for  support.  To  comply  with  a  DoD-directed  name  change,  the  Cybersecurity  Office  and  unit 
Cybersecurity  Liaisons  replaced  the  Information  Assurance  Office  and  the  unit  Information 
Assurance  Officers.13  Within  the  Air  Force,  the  organizations  that  conduct  most  cyber-related 
functions  are  communications,  network  operations,  and  cyber  operations  squadrons.  The  officer 
career  field  with  predominant  responsibility  for  cyberspace  is  the  17D  (Cyberspace  Operations) 
core  AFSC  which  replaced  the  Communications  Officer  moniker.  A  certain  portion  of  these 
officers  are  in  positions  identified  for  the  17S  (Cyber  Warfare  Operations)  AFSC.  These  officers 
“[operate]  cyberspace  weapons  systems  and  [command]  crews  to  accomplish  cyberspace, 
training,  and  other  missions.”  The  remaining  officers  in  positions  designated  with  the  17D 
(Network  Operations)  AFSC.  These  officers  also  “[operate]  cyberspace  weapons  systems, 
[employ]  cyberspace  capabilities,  and  [command]  crews  to  accomplish  cyberspace,  training,  and 
other  missions.”14  Despite  a  lack  of  descriptive  difference  in  the  Air  Force  Officer  Classification 
Directory,  as  the  name  implies,  the  17S  career  field  addresses  the  specialized  knowledge  and 
skills  required  to  conduct  offensive  and  defensive  operations.  Adding  another  term,  the  enlisted 
career  field  responsible  for  most  DODIN  operations  within  the  Air  Force,  the  3D  career  field,  is 
titled  Cyberspace  Support.  The  technology  of  cyberspace  evolves  quickly,  but  these  terms 
suggest  that  policy  and  organization  evolve  quickly  as  well. 

It  is  in  this  context  that  audiences  consume  public  statements  by  leadership  throughout 
the  DoD  and  the  Air  Force  specifically.  For  example,  the  DoD  Information  Technology  budget 
request  to  Congress  for  fiscal  year  2017  was  $38.2  billion,  which  included  $6.8  billion  for  cyber 
operations.15  This  is  an  increase  over  the  previous  year’s  budget  request  of  $36.9  billion,  which 
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included  $5.5  billion  for  “cyberspace  operations  and  activities.”16  While  the  difference  between 
budget  requests  and  what  Congress  enacts  can  vary  and  it  is  difficult  to  compare  budget  numbers 
given  classified  programs  that  may  or  may  not  be  included  in  the  numbers,  these  numbers 
demonstrate  an  intent  to  increase  spending  on  information  technology.  They  also  show  that  the 
increase  is  predominantly  in  cyber  operations,  which  based  on  the  definitions  above  is  mostly 
offensive  and  defensive  capabilities.  The  average  Airman  does  not  generally  see  these  activities, 
so  they  may  not  see  the  benefits  of  increased  spending  on  cyber  in  their  daily  tasks. 

Cyberspace,  as  the  only  domain  entirely  created  by  humans,  is  extraordinarily  complex, 
evolving,  and  requires  a  complex  language  to  describe  it.  Moore’s  Law  is  an  observation  that 
describes  the  ever-increasing  complexity  and  capability  of  computer  processors — nearly 
doubling  every  two  years.  However,  the  term  may  also  loosely  apply  to  the  terminology  and 
organization  that  DoD  uses  for  cyber,  which  may  seem  to  outpace  information  technology 
refresh  rates.  On  the  surface,  this  may  seem  like  a  trivial  issue;  however,  the  lack  of  a  common 
terminology  contributes  to  misunderstanding  and  confusion  over  what  cyber  is,  what  it  is  not, 
and  what  Airmen  should  expect  from  a  domain  that  is  seeing  significant  increases  in  resourcing. 

Consolidation  and  Standardization  of  Information  Technology 

To  gain  efficiencies  and  improve  effectiveness,  the  DoD  and  the  Air  Force  continue  to 
consolidate  and  standardize  IT  capabilities  under  initiatives  like  the  Joint  Information 
Environment,  the  Federal  Data  Center  Consolidation  Initiative,  and  Collaboration  Pathfinder. 
One  area  where  this  consolidation  is  evident  is  in  the  restructuring  of  responsibilities  among 
organizations  that  have  roles  in  the  management  and  sustainment  of  information  technology.  As 
Figure  1  describes,  operation  and  sustainment  of  the  “Air  Force  Communications/Cyber 
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enterprise”  requires  the  efforts  of  multiple  organizations,  with  the  Air  Force  Installation  and 


Mission  Support  Center  (AFIMSC)  being  the  latest  edition. 


AF  Communications/Cyber  Enterprise 
Roles  &  Responsibilities  after  AFIMSC 


Base  Comm 
Squadrons 

-  Helpdesk/CFP 
-  Asset  Mgmt 
-  Touch  Mx 


AFLCMC 

(AFMC) 

-  AFWAY 
-  BITI 

-  Lifecycle 
Management 


Cyberspace  CFL 
(AFSPC) 


-  Cyberspace  Ops 

-  Cyber  Force  Trng 

-  Long  Haul  Comm 

-  COMSEC/IA 

-  Records/Pubs 


SAF/CIO  A6 


-  AF  Policy 
-  Career  Field  Mgmt 


AFIMSC 

(AFMC) 


-  E&l  Workplan 
LMR,  Giant  Voice, 
Legacy  Voice, 
Cable  &  Antenna, 
UPS 

-  FOIA/PA 
-  CONUS  Official 
Mail/Postal 
-  MFM/FAM 


Air  Force  Comm/Cyber  Enterprise 


Briefer:  Col  Robert  Borja,  IZS 
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Figure  1.  AF  Communications/Cyber  Enterprise  Roles  &  Responsibilities.17 

AFIMSC  consolidated  the  major  command  (MAJCOM)  responsibilities  for  installation  and 

mission  support  capabilities,  which  includes  base  communications.18  The  AFIMSC  activated  on 
6  April  2015  and  achieved  Full  Operating  Capability  in  October  2016,  which  highlights  that  this 
is  a  recent  transition  for  the  communications/cyber  enterprise  and  suggests  that  processes  and 
relationships  among  the  actors  may  still  be  under  development.19  Together  these,  now  six, 
organizations  have  primary  responsibility  for  the  enterprise,  with  each  having  both  distinct  and 
overlapping  responsibilities.  For  example,  several  organizations  share  responsibility  for 
sustaining  and  providing  the  infrastructure  that  serves  as  the  backbone  of  the  network  at  each 
installation.  As  depicted  in  Figure  1,  the  Air  Force  Life  Cycle  Management  Center  (AFLCMC) 
oversees  the  Base  Information  Transport  Infrastructure  (BITI)  program  which  provides  the 
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“wired  cyber  network  infrastructure  at  each  . . .  base.”20  Additionally,  AFIMSC  now  oversees  the 
Engineering  and  Installation  (E&I)  Workplan  process,  which  ensures  “the  Air  Force  cyberspace 
infrastructure  is  mission  ready.”21  These  programs  traditionally  are  unable  to  satisfy  every 
requirement  at  the  base  level,  so  MAJCOMs  and  base-level  organizations  often  supplement  the 
central  programs.  Examples  exist  beyond  just  infrastructure,  but  this  one  example  demonstrates 
the  complex  relationships  among  multiple  organizations  to  provide  cyber  capabilities.  While  this 
structure  may  provide  some  flexibility,  it  complicates  programmatic  trades  in  the  context  of  the 
entire  enterprise,  gives  multiple  paths  for  funding  capability,  and  dilutes  responsibility  for  cost 
and  performance. 

To  provide  additional  structure  to  its  networks,  the  Air  Force  formally  designated  several 
weapon  systems  to  provide  and  secure  cyberspace  capabilities.22  Many  of  the  capabilities 
provided  by  these  weapon  systems  were  already  in  existence,  but  transitioning  to  the  weapon 
system  model  was  done  to  “help  ensure  proper  management  and  sustainment  of  equipment  life 
cycles.”23  Of  the  six  weapon  systems  designated  in  2013,  the  Air  Force  Cyber  Security  and 
Control  System  (CSCS)  provides  much  of  the  network  and  services  that  users  interact  with 
regularly  on  the  AFNet.  CSCS  was  the  next  step  in  a  lengthy  and  complex  effort  to  consolidate 
the  operation  of  disparate  MAJCOM  networks.24  While  this  may  be  a  better  construct  than  what 
preceded  it,  the  results  demonstrate  that  the  Air  Force  has  not  yet  realized  the  expected  benefits 
of  weapon  system  designation.  The  561st  Network  Operations  Squadron,  one  of  the  primary 
organizations  charged  with  the  operation  of  the  CSCS  weapon  system,  characterized  it  in  late 
2016  as  having  “no  baseline,”  having  a  sustainment  model  that  “doesn’t  meet  operational  need,” 
lacking  programmatic  processes,  and  lacking  accountability.25  As  the  organizational  construct  for 
managing  the  Air  Force’s  networks  continues  to  evolve,  the  resulting  capability  must  be 
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monitored  to  assess  the  effectiveness  of  the  changes  and  to  ensure  the  system  continues  to  meet 
customer  needs. 

As  the  above  list  of  organizations  involved  in  the  maintenance  and  operation  of  the  Air 
Force’s  cyber  capabilities  implies,  synchronizing  authority,  accountability,  and  responsibility  is 
complex.  In  many  cases,  the  nexus  between  the  organizations  listed  above  and  the  mission  is  the 
installation — the  platform  from  which  the  Air  Force  conducts  its  missions  and  projects  power.  In 
this  construct,  the  communications  squadron  or  the  frontline  technician  is  accountable  to  their 
local  leadership  to  assure  the  missions  conducted  from  that  installation.  As  the  local  cyber 
operators  and  maintainers,  they  represent  the  primary  interface  for  the  entire  array  of 
organizations  involved  in  providing  cyber-enabled  capabilities,  regardless  if  they  have  the 
responsibility  or  authority  to  address  the  specific  issue.  Likewise,  where  the  technician  may  be 
responsible  for  assisting  a  customer  with  an  issue,  the  rights  delegated  to  them  on  the  network 
may  limit  their  ability  to  be  responsive.  Taken  together,  these  disconnects  provide  a  source  of 
confusion  and  perceived  distance  between  mission  owners  and  those  that  provide  and  sustain  the 
capabilities  that  support  them. 

Institutional  Disconnects 

To  standardize  delivery  of  installation  support  services,  the  Air  Force  developed  its 
Common  Output  Levels  Standards  (AF  COLS).  This  program,  modeled  after  the  Joint  Base 
COLS  program,  allows  the  Air  Force  to  “streamline  operations  in  a  fair  and  consistent 
manner.”26  In  practice,  AF  COLS  is  a  process  that  determines  desired  levels  of  service  and 
holistically  informs  planning,  programming,  budgeting,  and  execution.27  AF  COLS  addresses  43 
installation  support  activities — those  functions  that  are  typical  to  most  installations  and  most  of 
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which  are  found  in  the  local  Mission  Support  Group.28  Functions  are  assigned  a  number  from 
one  to  four,  with  one  representing  the  highest  standard.  For  those  functions  assigned  a  four,  the 
Air  Force  accepts  that  their  performance  may  be  substandard,  but  still  able  to  meet  operational 
and/or  legal  requirements.29  AF  COLS  allows  the  Air  Force  to  proactively  manage  installation 
support  requirements,  assess  risk  at  a  corporate  level,  and  consistently  apply  priorities  to  meet 
needs  and  fiscal  constraints.  For  FY17,  Cyberspace  Operations  and  Information  (CO&I)  is  a 
three,  the  same  as  its  level  from  FY16  and  FY13.30  For  the  sake  of  comparison,  Table  1  lists  the 
number  of  functions  by  AF  COLs  level. 


Table  1.  Count  of  functions  by  AF  COLS  level 


AF  COLS 
Level 

Description  of  Standard 

Functions  at 
this  level 

AF  COLS  1 

“Highest  standard” 

9  functions 

AF  COLS  2 

“Slightly-reduced  standard” 

20  functions 

AF  COLS  3 

“Moderately-reduced  standard” 

10  functions 

AF  COLS  4 

“Greatly-reduced  standard” 

4  functions 

The  Air  Force  must  make  decisions  about  how  to  balance  capabilities  and  budget  realities,  but  an 
examination  of  AF  COLS  gives  insight  into  why  the  service  has  cyberspace  capabilities  that  do 
not  meet  everyone’s  expectations:  it  chose  to.  As  these  levels  inform  the  planning  and 
programming  process,  AF  COLS  will  influence  performance  levels  for  several  years. 

Despite  the  corporate  risk  that  the  Air  Force  has  chosen  to  accept  in  this  area,  24th  Air 
Force  identifies  in  its  mission  brief  that  they  achieved  99.999%  availability.31  Availability  is  a 
common  measure  used  to  identify  the  amount  of  time  that  a  service  is  able  to  perform  its 
required  function,  expressed  as  a  percentage.  In  this  case,  99.999%  equates  to  no  more  than  25.9 
seconds  of  downtime  every  month.  This  level  of  performance  is  difficult  to  achieve:  Gmail, 
Google’s  email  product,  achieved  a  99.978%  availability  in  2013. 32  Given  the  level  of 
performance  that  “Five  9s”  describes,  it  is  unlikely  that  24th  Air  Force  was  suggesting  that  the 
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entire  Air  Force  Information  Network  and  its  associated  services  were  available  everywhere  at 
that  availability  rate.  However,  without  caveats,  it  appears  to  highlight  an  institutional 
disconnect:  a  notably  high  performance  level  on  a  capability  for  which  the  Air  Force  chose 
corporately  to  take  risk.  This  may  also  generate  confusion  among  customers,  such  as  those 
associated  with  the  CSCS  weapon  system,  who  may  not  perceive  their  particular  experience  as 
reflected  in  such  a  high  representation  of  performance.  Additionally,  this  may  provide  confusing 
feedback  to  the  Air  Force  corporate  structure  on  performance  possible  under  an  AF  COLS  3 
level  as  it  suggests  the  capability  can  absorb  additional  resource  reductions  and  still  achieve  the 
prescribed  output  level. 

What  a  Mission  Owner  Wants 

Regardless  of  any  confusion  that  may  exist,  it  is  crucial  to  understand  what  mission 
owners  require.  Many  of  them  are  not  cyber  professionals,  but  rely  heavily  on  the  capabilities 
that  cyber  provides.  While  they  want  to  understand  and  manage  any  risks  to  their  mission,  they 
rely  on  others  to  ensure  that  needed  capabilities  are  available  at  the  required  time  and  place.  As 
the  Deputy  Commander  of  U.S.  Cyber  Command  described,  “I  had  a  communications  staff,  and  I 
just  told  them  to  make  sure  my  network  was  always  working.  Even  if  there  were  issues  with 
cybersecurity  standards  or  if  we  needed  to  get  a  waiver,  my  answer  was,  ‘Yes,  just  get  it  in  place, 
just  make  it  work.”33  Regardless  of  organizational,  technical,  or  other  complexities,  a  mission 
owner  wants  their  cyber  enabling  capabilities  to  work  and  to  have  confidence  that  they  will  do 
so.  It  is  understandable  that  this  is  the  desire  of  any  user  of  any  capability— that  it  just  works. 

In  the  context  of  the  Federal  Government,  an  effort  to  define  “make  it  work”  can  start 
with  law.  The  Federal  Information  Security  Management  Act  (FISMA)  defines  the  security 
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objectives  for  information  and  information  systems  as  confidentiality,  integrity,  and  availability. 
Confidentiality  refers  to  protecting  against  “unauthorized  disclosure  of  information.”34  Integrity 
refers  to  protecting  against  the  “unauthorized  modification  or  destruction  of  information.”35 
Availability  refers  to  protecting  against  the  “disruption  of  access  to  or  use  of  information  or  an 
information  system.”36  While  having  the  maximum  assurance  of  all  three  would  be  the  obvious 
ideal,  it  is  not  always  possible  or  practical;  however,  mission  owners  can  assess  the  importance 
of  each  objective  based  on  expected  impact  and  effectively  prioritize.  Information  systems  built 
to  support  the  mission  can  consider  the  relative  importance  of  each  security  objectives  and  tailor 
their  design  to  prioritize  those  controls  that  will  have  the  greatest  positive  impact  in  ensuring  that 
the  system  “just  works.” 

Nature  of  Risk  Management 

Given  the  Air  Force’s  reliance  on  the  cyber  capabilities  and  the  construct  under  which  we 
provision  and  employ  those  capabilities,  it  is  helpful  to  have  a  model  for  understanding  how 
those  capabilities  can  generate  and  mitigate  risk  for  the  organization  and  its  mission.  The 
following  function  demonstrates  the  relationship  of  the  components  of  risk  and  how  effective 
risk  management  results  from  manipulating  them. 

Risk  =  function  (threat  x  vulnerability  x  impact) 

As  this  formula  implies,  risk  to  an  organization  requires  a  capable  threat  that  exploits  a 
vulnerability  which  has  an  impact.  This  concept  is  best  expressed  as  a  function  to  highlight  that 
every  mission  risk  is  the  result  of  these  three  arguments,  with  each  having  a  direct  effect  on  the 
resulting  risk.  For  example,  if  the  potential  impact  is  mission  failure,  then  the  risk  would 
calculate  to  a  correspondingly  high  value.  Likewise,  if  a  situation  exists  where  there  is  zero 
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threat  to  exploit  a  specific  vulnerability,  then  that  situation  represents  zero  risk  to  the 
organization.  This  model  is  further  effective  in  developing  strategies  to  address  identified  threats, 
since  it  allows  a  mission  owner  to  assess  whether  the  threat  constitutes  any  real  risk  to  the 
organization.  Where  it  does,  it  helps  facilitate  development  of  alternatives  to  reduce  the  risk:  by 
reducing  the  threat,  mitigating  the  vulnerabilities,  decreasing  the  impact,  or  a  combination  of  all 
three. 


Threat 

Threats  are  anything  that  contributes  to  the  “tampering,  destruction,  or  interruption  of  any 
service  or  item  of  value.”37  In  other  words,  threats  can  range  from  adversary  action  to  acts  of 
nature  and  even  the  well-intentioned  actions  of  an  inadequately  trained  system  administrator,  so 
the  assessment  of  threats  must  consider  its  motivation  in  addition  to  its  ability  to  impose  risk.  For 
example,  an  adversary  may  be  well  motivated  to  access  classified  logistics  systems,  but  they  lack 
the  capability  to  find  and  exploit  the  necessary  vulnerabilities.  Likewise,  a  user  may  have 
authorized  access  to  a  system,  but  lack  motivation  to  do  anything  nefarious  with  it.  Other  threats 
are  not  subject  to  influence  or  motivation,  such  as  acts  of  nature.  Some  threats  exist  only  as 
generic  characterizations,  such  as  hackers  or  terrorists,  and  are  not  subject  to  influence  until 
specific  actors  identify  themselves.  This  will  encourage  mission  owners  to  focus  on  the  other  two 
arguments  of  the  risk  function,  over  which  they  have  greater  control. 

Vulnerability 

Vulnerabilities  are  not  just  those  associated  with  software  patches,  but  can  include 
improper  earthquake  protection  for  a  datacenter,  single  points  of  failure  in  an  architecture,  lack 
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of  backup  power,  or  lack  of  encrypted  storage  on  mobile  devices.  While  it  is  tempting  to  focus 
on  information  systems,  it  is  crucial  to  focus  on  the  access  and  use  of  information  that  is 
necessary  to  conduct  the  organization’s  mission.  Additionally,  vulnerabilities  can  exist  and  be 
exploited  even  before  they  are  known  to  the  mission  or  system  owner.  Drawing  this  back  to  the 
risk  function  described  above,  the  value  of  the  vulnerability  relates  to  how  costly  it  is  for  a  threat 
to  exploit  it  (e.g.,  a  vulnerability  that  is  costly  to  exploit  results  in  a  lower  score).  Some  costs  are 
financial,  while  others  may  be  expressions  of  level  of  effort  (e.g.,  specialized  expertise  or  long 
development  timelines).  For  example,  most  software  manufacturers  regularly  release  patches  to 
known  vulnerabilities.  While  this  process  eliminates  many  known  vulnerabilities,  it  also 
advertises  their  existence  and  provides  technical  details  that  make  exploiting  that  vulnerability 
easier  against  an  unpatched  system — resulting  in  an  increased  contribution  to  risk.  The  longer 
vulnerabilities  are  known,  the  easier  and  less  costly  they  are  to  exploit  since  potential  threat 
actors  can  leverage  the  work  of  others.  On  the  other  end  of  the  spectrum,  undisclosed 
vulnerabilities  are  the  costliest  since  they  may  require  in-house  or  contracted  development  work. 
These  undisclosed  vulnerabilities  are  called  “zero-days,”  since  the  developer  has  had  zero  days 
to  create  a  fix  or  workaround.38 

Upon  the  first  exploitation  of  a  vulnerability,  a  window  of  vulnerability  exists  until  a  fix 
can  be  developed  and  applied.39  During  that  window,  system  developers  and  administrators  are 
racing  against  potential  threats  that  might  exploit  the  vulnerability  to  attack  a  system.  This  race 
generates  economic  forces,  which  friendly  and  adversary  organizations  can  exploit.  As  the  DoD 
Chief  Information  Officer  stated,  “from  a  standpoint  of  cybersecurity,  right  now  we’re  on  the 
wrong  side  of  the  financial  spectrum  here. .  .you  can  spend  a  little  bit  of  money  and  a  little  bit  of 
time  and  exploit  some  our  [sic]  weaknesses,  and  cause  us  to  have  to  spend  a  lot  of  money,  a  lot 
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of  time.”40  As  an  example,  zero-day  broker  Zerodium  will  pay  as  much  as  $1.5  million  for 
“original  and  previously  unreported  zero-day  exploits.”41  In  turn,  they  sell  access  to  their  library 
of  exploits  for  an  annual  fee  of  $500,000  or  more.42  In  some  cases,  these  types  of  sales  are  large 
enough  to  make  the  news  such  as  when  the  Director  of  the  Federal  Bureau  of  Investigation 
indicated  that  his  agency  paid  more  than  $1.3  million  to  access  the  encrypted  iPhone  used  by  an 
attacker  in  a  mass  shooting.43  Many  software  companies  have  their  own  programs  to  incentivize 
people  to  develop  and  submit  vulnerabilities,  with  varying  rewards  available  (e.g.,  Microsoft 
offers  up  to  $200,000,  Google  will  pay  up  to  $20,000,  and  Apple  up  to  $200, 000). 44  With  such 
legitimate  entities  willing  to  pay  significant  amounts  of  money  for  exploits  (along  with 
presumably  illegitimate  ones),  there  is  no  shortage  of  motivation  on  the  supply  side  of  exploit 
development.  This  suggests  that  the  only  way  to  influence  the  market  is  through  demand.45 
While  there  are  indications  that  demands  from  government  agencies  heavily  influence  the 
market,  most  organizations  do  not  have  sufficient  resources  to  influence  such  an  expensive 
market.46  However,  this  does  not  mean  they  cannot  take  advantage  of  it:  driving  the  cost  to 
potential  threats  as  high  as  possible  by  denying  the  use  of  known  vulnerabilities.  For  commercial 
products,  this  means  implementing  fixes  to  vulnerabilities  as  early  in  the  window  of  vulnerability 
as  possible.  For  government  developed  software,  program  offices  must  pursue  and  be 
accountable  to  the  same  goal. 

A  goal  of  patching  systems  as  quickly  as  possible  seems  intuitive,  but  vulnerability 
management  continues  to  be  an  elusive  problem.  Predictions  are  that  through  the  year  2020,  99% 
of  exploits  will  be  based  on  vulnerabilities  that  were  known  for  a  minimum  of  one  year.47 
According  to  a  Verizon  study  in  2015,  85%  of  all  exploit  traffic  was  generated  by  the  top  10 
vulnerabilities;  additionally,  more  exploited  vulnerabilities  came  from  2007  than  any  other 
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year.48  Even  for  newer  patches,  the  timelines  support  the  need  for  deliberate  and  even  aggressive 
vulnerability  management:  of  the  most  critical  category  of  Microsoft  vulnerabilities  identified  in 
2015,  only  5%  were  believed  to  have  been  exploited  within  30  days  of  a  patch  being  available.49 
In  2014,  it  took  software  companies  an  average  of  59  days  to  develop  and  release  patches  to 
vulnerabilities  once  they  were  identified.50  In  short,  the  longer  a  vulnerability  remains,  the  less 
costly  it  is  for  a  threat  to  exploit;  however,  once  a  patch  has  been  developed  and  published,  the 
cost  to  mitigate  the  vulnerability  drops  precipitously.  While  zero  day  vulnerabilities  are  difficult 
to  counter,  there  is  still  substantial  benefit  in  an  effective  and  efficient  vulnerability  management 
process — one  that  decreases  risk  by  increasing  the  cost  to  potential  threats. 

Impact 

The  impact  of  a  risk  to  an  organization  can  range  from  nuisance  to  mission  failure. 
Businesses  reduce  impacts  to  a  dollar  value  that  incorporates  lost  productivity,  lost  revenue, 
damage  to  equipment,  unscheduled  overtime,  etc.  For  example,  data  breaches  for  companies  in 
the  United  States  cost  an  average  of  $221  per  record  ($76  in  direct  costs  and  $145  in  indirect 
costs),  with  each  breach  averaging  a  total  of  $7  million.51  Armed  with  this  information, 
companies  can  make  a  cost-benefit  assessment  on  any  investment  that  would  reduce  the  risk  of  a 
data  breach.  However,  the  Air  Force  does  not  generate  revenue  and  is  not  in  competition  for 
business,  so  it  cannot  necessarily  use  impacts  to  the  bottom  line  as  an  effective  means  of 
assessing  impact.  For  example,  it  is  difficult  to  quantify  the  impact  of  a  network  outage  that 
interrupts  dissemination  of  missions  to  geographically  dispersed  units.  It  is  also  difficult  to 
compare  that  to  an  Air  Force-level  issue  preventing  access  to  email  across  the  entire  service. 
Both  issues  would  cause  significant  impact,  but  it  would  be  difficult  to  objectively  determine 
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which  issue  is  more  significant  in  order  to  prioritize  responses  and  investment  to  reduce  the  risk 
of  recurrence. 

Evaluation  of  mission  risk  must  be  from  the  perspective  of  the  various  mission  owners 
that  exist  in  the  Air  Force.  For  example,  from  the  perspective  of  a  contracting  unit,  the  network  is 
a  vulnerability  for  their  mission  effectiveness.  If  the  network,  or  one  of  its  services  (e.g.,  email), 
is  unavailable,  that  may  have  a  significant  impact  on  their  mission.  While  this  scenario  may  not 
be  significant  in  the  context  of  the  entire  Air  Force,  it  may  be  significant  at  a  local  level.  In  an 
organization  as  large  as  the  Air  Force,  lost  productivity  for  a  minor  issue  can  be  significant  when 
extrapolated  out  to  the  entire  population.  For  example,  it  would  arguably  be  worth  $17  million  to 
address  an  issue  that  costs  one  hour  of  time  from  every  uniformed  member  of  the  Air  Force, 
since  that  is  the  appropriated  cost  of  one  hour  of  the  Air  Force’s  payroll.52  Air  Force  leadership 
has  said  that  they  “don’t  care  how  you  get  your  email. .  .that’s  not  a  fundamental  mission  of  the 
Air  Force.”53  Mission  owners  might  agree  that  reliability  from  wherever  email  comes  from  is 
more  important. 

Managing  Cyber  Risk 

Effective  risk  management  requires  a  mission  owner  to  assess  the  risks  throughout  their 
operation  and  address  those  where  the  impact  of  a  risk  is  greater  than  the  cost  to  mitigate  the 
risk.54  This  is  analogous  to  the  physical  world  where  the  Air  Force  applies  antiterrorism 
measures,  force  protection  concepts,  and  Protection  Levels  to  critical  resources  since  the  cost  of 
implementing  such  measures  is  less  than  the  cost  of  losing  the  resource.  Organizations  will 
naturally  seek  to  address  as  many  risks  as  they  can  afford,  based  on  an  understanding  of  what 
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missions  are  important  to  them  and  what  functions  support  those  missions.  In  the  case  of  cyber, 
the  most  important  capabilities  are  those  that  support  a  mission  owner’s  critical  functions. 

Since  many  mission  owners  leverage  the  same  cyber  capabilities,  the  service  provider 
must  understand  all  the  dependences  on  their  service.  For  AF-wide  capabilities  provided  by  a 
single  provider,  it  would  be  a  complex  endeavor  to  maintain  a  characterization  of  each 
dependency  such  that  they  can  prioritize  service.  This  would  require  a  level  of  understanding  of 
dependence  that  exceeds  the  Air  Force’s  current  ability  to  provide  visibility  into  those  same 
capabilities.  In  terms  of  the  AFNet,  there  are  certain  key  elements  of  the  architecture  that  are 
dependencies  for  a  large  segment  of  the  Air  Force — things  like  connection  off  the  installation, 
enterprise  services,  and  access  to  functional  applications.  This  would  mean  that  these  core 
capabilities  would  need  to  perform  sufficiently  to  satisfy  all  the  dependent  missions. 

MORE  THAN  AN  ACADEMIC  ARGUMENT 

CCRI  Results 

One  place  that  the  confusion  on  cyber  is  apparent  in  the  Air  Force  is  in  external 
inspections  of  its  networks.  On  a  recurring  pattern  of  approximately  every  two  years,  the  Defense 
Information  Systems  Agency  (DISA)  completes  assessments  of  every  network  in  the  DoD.  This 
assessment,  called  a  Command  Cyber  Readiness  Inspection  (CCRI),  is  under  the  authority  of 
United  States  Cyber  Command  to  evaluate  and  improve  the  security  of  the  DODIN.55  A  CCRI 
evaluates  processes,  culture,  physical  security,  and  the  current  security  state  of  the  network — 
among  other  things,  ensuring  that  all  networked  devices  are  properly  patched,  configured,  and 
protected.  Unfortunately,  the  amount  of  work  necessary  to  achieve  a  passing  score  is 
unsustainable.56  Units  divert  resources  away  from  day-to-day  operations  to  prepare  for  the 
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inspection,  only  to  have  the  higher  (i.e.,  required)  state  of  security  decline  immediately  after  the 
inspection.57  The  expressed  intent  is  to  move  away  from  an  inspection-focused  readiness  model, 
to  a  day-to-day  approach  where  repeatable  processes,  training,  policies,  and  technology  are 
leveraged  to  ensure  the  Air  Force  is  always  secure  and  effectively  inspection-ready  at  any  time.58 
A  summit  was  organized  by  the  690th  Cyber  Operations  Group  to  identify  the  root  causes  of  the 
Air  Force’s  inability  to  maintain  the  desired  posture:  20  items  were  identified  (two  training  and 
six  each  for  processes,  technology,  and  policy).59  Counter  to  the  results  of  this  work,  seven 
months  later  the  problem  was  categorized  by  the  24th  Air  Force  commander  as  “training, 
experienced  manpower  and  leadership”  with  a  statement  that  “the  tools  work  fine  . . .  and  [are] 
quite  effective.”60  Despite  the  number  of  issues  identified  by  the  subject  matter  experts,  there 
appears  to  be  a  significant  disconnect  between  those  that  perceived  a  problem  and  those  that  can 
make  it  a  priority.  Until  resolved,  that  disconnect  will  likely  prevent  significant  improvement — 
meaning  that  cybersecurity  is  a  priority  throughout  the  organization,  but  the  result  is  cyber 
insecurity  by  DoD  standards. 

Institutional  Frustration 

In  addition  to  immature/unsustainable  security  processes,  organizations  and  individuals 
within  the  Air  Force  have  indicated  that  the  availability  and  reliability  of  enterprise  services  are 
not  sufficient.  As  one  senior  leader  described  it  when  speaking  at  Air  War  College,  “the  worst 
thing  I  can  do  for  my  productivity  is  turn  on  my  computer  in  the  morning.”61  Several  other  senior 
leaders  categorized  it  similarly.62  In  general,  such  leaders  have  executive  communications 
support,  which  provides  them  with  more  responsive  service  than  the  normal  user — making  it 
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logical  to  assume  that  their  described  experience  is  better  than  the  average.  Concerns  also  extend 
beyond  the  individual  complaints. 

Currently  there  are  entire  Air  Force  organizations  that  are  looking  for  options  outside  the 
AFNet.  For  example,  Air  University  is  moving  to  Air  University  Commercial  Internet  Services 
(AUCIS).  AUCIS  “reduces  a  current  gap  in  learning  productivity. .  .by  providing  increased 
accessibility  to  . . .  educational  content  with  high  bandwidth  requirements  on  decidedly  restrictive 
government  managed  networks.”63  Additionally,  the  618th  Air  Operations  Center  is  pursuing 
options  to  alter  its  architecture  to  decrease  its  dependence  on  AFNet  resources.  Air  Force  Special 
Operations  Command  has  also  announced  their  intent  to  move  away  from  the  AFNet,  as  it  cannot 
meet  their  mission  requirements.64  Taken  together,  these  three  organizations  represent  a  full 
range  of  mission  criticality  with  regards  to  cyber  capabilities.  If  the  AFNet  is  not  capable  of 
meeting  operational  or  educational  needs,  nor  meet  the  expectations  of  individual  Airmen,  it  is 
logical  to  ask,  “what  organizations  is  the  AFNet  intended  to  support?” 

RECOMMENDATIONS 

Consolidation  of  AFNet  Sustainment 

If  everyone  is  responsible,  then  no  one  is  responsible.  This  adage  is  just  as  applicable  to 
cyber  as  it  is  to  organizational  management.  The  Air  Force  should  continue  to  consolidate 
responsibility  for  the  acquisition  and  sustainment  of  information  technology.  Presumably  this 
responsibility  will  continue  to  align  with  AFLCMC,  given  their  extensive  role  in  the 
management  of  multiple  information  technology-based  capabilities. 

Regardless  of  where  consolidated  responsibility  resides,  performance  accountability  and 
visibility  must  increase.  While  AFLCMC  can  formally  be  accountable  to  a  lead  command,  such 
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as  AFSPC  or  AFIMSC,  they  must  also  make  their  program  performance  assessments  available  to 
a  wider  audience.  Program  managers  should  invite  every  MAJCOM/A6  to  participate  in  formal 
program  reviews  to  ensure  the  programs  continue  to  meet  mission  requirements  and  enable  them 
to  advocate  for  resources  as  needed.  A  component  of  this  visibility  must  also  include  published 
service  levels  for  enterprise  capabilities  to  inform  the  risk  considerations  of  the  mission  owners 
throughout  the  Air  Force.  A  published  expectation  can  facilitate  an  informed  discussion  of  how 
to  resolve  disconnects  with  mission  requirements,  providing  additional  options  to  address  the 
shortfall. 

The  Air  Force’s  Chief  of  Information  Dominance  and  Chief  Information  Officer  has 
announced  that  the  Air  Force  is  moving  to  an  “As  a  Service”  environment.65  The  consolidation 
efforts  discussed  above  do  not  preclude  that  concept,  nor  does  it  preclude  outsourcing  those 
services.  In  fact,  continued  consolidation  helps  expose  the  true  cost  of  information  technology 
requirements  in  the  Air  Force  and  enables  a  better-informed  cost-benefit  analysis  of  such 
options. 

Model  for  Enterprise  Visibility 

In  addition  to  improved  visibility  into  the  programmatic  aspects  of  providing  cyber 
capabilities,  visibility  of  operational  status  to  mission  owners  must  improve.  Visibility  of  all 
operational  aspects  at  and  from  all  levels  will  increase  understanding  throughout  the  enterprise 
and  increase  accountability,  since  organizations  can  address  concerns  over  performance  based  on 
the  same  information  and  they  can  make  data-driven  decisions  to  address  any  shortfalls. 

As  discussed  previously,  this  visibility  must  incorporate  those  capabilities  that  contribute 
to  confidentiality,  integrity,  and  availability.  This  enables  mission  owners  to  better  understand 
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their  current  risk  profile  and  allows  them  to  make  risk-based  decisions  to  mitigate  any  concerns 
to  their  operations.  Confidentiality,  integrity,  and  availability  are  also  the  criteria  used  assess 
systems  in  the  Risk  Management  Framework,  the  process  used  to  authorize  information  systems 
to  operate.  The  process  assists  programs  in  selecting  controls  to  support  the  required  security 
level  of  the  system  and  assesses  their  effectiveness  in  doing  so.66  The  Air  Force  could  extend  the 
use  of  this  model  to  operational  units  and  facilities,  providing  a  general  characterization  of  the 
requirements  of  mission  owners — providing  data  from  which  cyber  operations  and  sustainment 
efforts  can  derive  the  risk  caused  by  developments  in  cyberspace  and  providing  a  means  to 
communicate  the  impact  to  mission  owners.  Such  transparency  on  requirements  and  performance 
will  facilitate  improved  interaction  between  mission  owners  and  the  various  entities  that  have 
responsibilities  in  providing  cyber  capabilities. 

In  addition  to  visibility,  assessment  of  impact  must  also  improve.  While  the  above 
provides  a  means  to  communicate  changing  conditions  within  cyberspace,  the  Air  Force  must 
establish  a  common  frame  of  reference  to  assess  the  impact  of  changes  on  Air  Force  networks, 
both  positive  and  negative.  One  measure  to  assess  impact  would  be  to  sum  the  costs  associated 
with  productivity  and  any  loss  or  required  investment.  For  example,  organizations  could  measure 
the  costs  of  an  unscheduled  outage  in  terms  of  lost  productivity  (normalized  to  a  dollar  value) 
and  any  other  costs  incurred  to  continue  operations  despite  the  outage.  Such  a  construct  could 
help  objectively  assess  the  impact  of  issues,  ensuring  that  capability  providers  prioritize  issues 
with  the  greatest  magnitude  of  impact — including  considerations  of  cost  to  mission,  loss  of 
productivity,  etc.  Such  a  measure  could  also  serve  to  objectively  determine  if  incidents  warrant  a 
formal  investigation  to  determine  root  cause.  Additionally,  program  managers  could  use  the 
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measure  to  assess  potential  improvements  to  the  network  and  to  help  justify  the  cost  of  their 
implementation. 

Federation  of  Authority 

The  Air  Force  should  conduct  a  comprehensive  review  to  determine  if  organizations 
conducting  cyber  operations,  to  include  installation-level  communications  squadrons,  have  the 
authority,  responsibility,  and  accountability  to  conduct  their  required  tasks.  While  considering 
the  concept  of  least  privilege,  the  Air  Force  must  leverage  and  facilitate  the  cyber  professionals 
at  all  levels  and  enable  them  to  conduct  actions  that  currently  only  a  select  few  can  take.  While 
concerns  over  risk  often  drive  a  restrictive  posture,  decision  makers  must  also  consider  the 
benefits  gained  in  the  increased  number  of  people  able  to  complete  a  task  and  flexibility  to  adapt 
to  local  priorities — allowing  local  commanders  to  balance  mission  and  technical  risks. 

Installation-Level  Capabilities 

Continue  to  pursue  opportunities  to  provide  more  capability  and  flexibility  to 
commanders  and  mission  owners  through  efforts  like  the  Cyber  Squadron  Initiative  and 
deployment  of  the  Mission  Defense  Team  -  Tool  Kit  to  provide  additional  capabilities  at  the  unit 
level.  However,  decision  makers  must  ensure  that  they  communicate  to  mission  owners  that  the 
new  capabilities  are  additive  and  evolutionary,  not  a  substitute  for  the  performance  of  legacy 
information  technology  services. 
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CONCLUSION 


Much  of  the  cyber  capabilities  that  enable  mission  owners  to  function  are  outside  their 
influence  and  often  outside  their  visibility.  This  situation  exists  because  of  the  confusing  nature 
of  “cyber,”  how  the  Air  Force  has  evolved  cyber  capabilities,  significant  institutional 
disconnects,  what  a  mission  owner  wants,  and  the  nature  of  risk  management.  The  consequences 
of  these  issues  are  more  than  academic  concerns  as  they  have  contributed  to  tangible  issues 
throughout  the  Air  Force.  At  present,  it  appears  that  there  is  a  disconnect  between  the  state  of 
cyber  capabilities  from  the  perspective  of  the  user  and  that  of  key  leaders  in  positions  to  exert 
great  influence  on  the  future  of  cyber  in  the  Air  Force.  While  the  Air  Force  likely  cannot  afford 
to  meet  every  organization’s  desired  level  of  performance,  it  can  ensure  that  it  closes  the  gap 
between  actual  performance  and  the  assessed  level  of  performance — ensuring  that  programmatic 
and  operational  decisions  are  based  on  a  shared  understanding  of  reality.  Such  transparency  and 
shared  understanding  will  also  provide  additional  accountability  at  all  levels  of  cyber  operations. 
This  will  facilitate  informed  discussions  that  can  ensure  authorities  and  responsibilities  remain 
aligned  with  mission  requirements,  but  still  balanced  with  accountability  for  performance. 
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